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Abstract 



Let p be prime and Z p n the degree n unramified extension of the ring 
of p-adic integers Z p . In this paper we give an overview of some very 
fast algorithms for common operations in Z p n modulo p . Combining 
existing methods with recent work of Kedlaya and Umans about modular 
composition of polynomials, we achieve quasi-linear time algorithms in the 
parameters n and N, and quasi-linear or quasi-quadratic time in logp, 
for most basic operations on these fields, including Galois conjugation, 
Teichmiiller lifting and computing minimal polynomials. 

1 Introduction 

In this article we aim at explaining very fast methods for arithmetic in finite 
precision degree n unramified p-adic rings Z p n . Although no truly new compu- 
tational ideas are presented, most results are new and follow from combining 
existing algorithms with recent results of Kedlaya and Umans (in particular 
Theorem [T] below) . We do not intend to give complete algorithms, but rather 
accurate references to the literature combined with precise asymptotic estimates, 
so that our results can be used as reference. 

A central source for classical fast algorithms is the book [2], and for more 
specific p-adic methods we refer to Chapter 12 of 1 . The result that allows 
us to give improvements upon the literature is the following. Note that we will 
give another version of this theorem, more suitable for our needs, below. 

Theorem 1 (Kedlaya - Umans, '[S, Theorem 7.1 with parameters m = 1, N = 
d]) Let R be a finite ring of cardinality q given as (Z/r1i)[Z]/(E(Z)) for some 
monic polynomial E(Z). For every constant S > there is an algorithm that 
does the following. Given polynomials f(X), g(X) and h(X) over R of degree 
at most d, such that h has a unit as leading coefficient and that we have access 
to d 1+s distinct elements of R whose differences are units in R; then it can 
compute f(g(X)) mod h(X) in time O (d 1+s log 1+o(1) q) . 



All results below for computing in Z p ™ with precision p N are quasi-linear 
except for some extra factor logp arising from computing a p-th power in 
the finite field F p ™ . For example, computing a Teichmiiller lift requires time 




would yield a similar improvement for most of our results. Moreover, it is easy to 
verify that the memory requirements for all results in this paper are essentially 
linear. 

The main application that we have in mind are p-adic point counting algo- 
rithms on varieties over finite fields, see e.g. Chapter 17 in [Tj, which profit a lot 
from fast p-adic arithmetic. For example, in our papers [3] and [3] we showed 
how to compute the zeta function of hyperelliptic curves in certain families over 
a finite field F p n in time O (n 2667 ) (for fixed genus and characteristic). This 
improves to O (n 2+£ ) using the results from this paper. 

The structure of the sequel of the paper is quite straightforward: we start in 
each subsection with a precise formulation of the result, and then give references 
or a proof. The following results are presented: elementary arithmetic, Newton 
iteration, Galois conjugation, equations involving the Frobenius automorphism, 
Teichmiiller lift, minimal polynomial, trace, norm and Teichmiiller modulus. 

2 Fast arithmetic 

We choose for once and for all a prime number p, an extension degree n > 1 
and a p-adic precision N > 1. We work in the unramified p-adic ring Z p n 
modulo p N , and this field is supposed to be represented as Z p [x]/ip(x) for some 
monic inert (i.e. irreducible modulo p) polynomial ip(x) € "Z p [x\ of degree n 
and precision p N . From now on the notation Z p ™ modp N will be used for this 
setting (including the implicit polynomial f(x)). 

It is not in the scope of this text to discuss how to find a (large) prime p 
and some inert polynomial <p(x) of given degree n. However, we note that for 
finding (f{x) it suffices to compute an irreducible polynomial (p(x) of degree n 
over F p , which is an extensively studied problem, see e.g. the reference in the 
proof of Theorem [5] below. 

For our purposes Theorem [1] is not immediately applicable, hence we give a 
reformulation. 

Theorem 2 Let f(x), g{x) and h{x) be polynomials of degree at most n over 
Z p [x] mod p , with f(x) monic. Then we can compute f(g(x)) mod h(x) in 
time O ({Nn\ogp) 1+t ) . 

Proof. If p is large enough, say p > n 2 , we can use Theorem [T] directly 
because Z p contains enough (readily available) units. Suppose hence p < n 2 . 
Shoup has shown in [8] how to construct some irreducible polynomial E(Y) 
over F p of degree a in time O (((a 2 + alogp) logp) 1+e ), subsequently improved 
in Section 8.5 of [5]. It now suffices to take a := [log p n 2 ] and to note that 
logp is dominated by 21ogn. Let E(Y) be a monic lift of E(Y), then the ring 
Z p [Y]/ E(Y) has at least n 2 units and we conclude the proof with Theorem[T]n 
We note that the use of the exponent 1 + e in all our complexity estimates 
has the classical meaning that for every e > an algorithm exists with this 
estimate. For most results only logarithmic factors are needed (e.g. O(nlogn) 
instead of C(n 1+e )), but we choose a more uniform formulation. 

2.1 Elementary operations: +, — , / 

Proposition [1] is essentially Corollary 11.10 in [2]. 
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Proposition 1 Let a, (3 G Z p mod p . We can compute a -\- (3 and a — (3 in 
time O (Nlogp). We can compute a ■ (3 and if (3 is a unit also 1/(3 in time 
0((Nlogp) 1+ '). 

Proposition 2 Let a, (3 G Z p n modp N . We can compute a + (3 and a — (3 in 
time O (N nlogp). We can compute a ■ (3 and if (3 is a unit also 1/(3 in time 
0((Nnlogp) 1+e ). 

Proof. The result for a ± j3 is entirely straightforward. Corollary 9.7 in [2 
implies that a ■ (3 can be computed in the same amount of time — up to a 
constant — as the product of two polynomials of degree n in Z p [X] modp N , 
which is O ((Nn logp) 1+e ) by Theorem 8.23 in the same book and Proposition^] 
above. Over F p ™ the inverse of the reduction (3 of (3 modulo p can be computed 
in time O ((nlogp) 1+e ) by Corollary 11.6 in [3J. Afterwards 1/(3 can be Newton 
lifted to 1/(3 by Algorithm 9.10 in [5J which clearly has the required asymptotic 
complexity. □ 

2.2 Root finding (Newton iteration) 

In this section we assume that some root, which is not a multiple root, is already 
known modulo p. 

Proposition 3 Let f{Y) be a polynomial over Z p vaoa\p N of degree m, and 
yo G 1t p n mod p N such that f(yo) = modp and ^p-(yo) ^ mod p. Then we 
can compute y G "L p n mod p N such that y = yo mod p and f(y) = mod p N in 
time O ((N{n + m) logp) 1+£ ) . 

Proposition 4 Let f(Y) be a polynomial over 7L v n mod p N of degree m, and 
yo G Z p ™ modp N such that f(yo) = mod p and ^p-(yo) ^ mod p. Then we 
can compute y G Z p » mod p N such that y = yo mod p and f(y) =0 mod p N in 
time O ((Nnmlogp) 1+t ) . 

Proof. Both propositions can easily be proven by using classical p-adic New- 
ton iteration with quadratic convergence, Algorithm 9.22 in [2J. Note that for 
Proposition U we need the obvious generalization of Theorem [2] to polynomials 
over Z p n modp^. The complexity estimates are entirely straightforward. □ 

2.3 Galois conjugates 

We denote with a the p-th power Frobenius automorphism on Z p n . Note that 
a n is the identity map. 

Proposition 5 Let a G Z p n mod p N and < k < n an integer. We can 
compute o~ k (a) in time O [((N + logp)n logp) 1+e ) . 

PROOF. Let F p n = F p [x]/(p(x) be the 'reduction modulo p' of Z p n, and a the 
p-th power Frobenius on it. Clearly we can compute <j(x) = x 9 in ¥ p n in time 
O ((n log 2 p) 1+e ) . In order to compute a k (x) = x p we use the following lemma. 
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Lemma 1 Given the polynomials A(x) := (x p mod <p(x)) andB(x) := (x p mod 
<p{x)) {or some integers a,b> 1, we have that A(J3(xj) = x p + mod <p(x), and 
this composition can be computed in time O ((nlogp) 1+£ ) . 

Proof of the lemma. It is easy to verify that A{B(x)) mod <p(x) = x pa+b mod 
(p(x), using the fact that B{x) is a root of <p{x). Now Theorem[5] (for N = 1) 
gives the lemma. □ 
Proof of the proposition (continued). The idea to compute a k (x) is to 
use the binary representation of k combined with the lemma. The general algo- 
rithm is similar to the classical repeated squaring technique (Algorithm 4.8 in 
2 ), we explain here only the easier case where k = 2 m for an integer m > 1. The 
procedure is quite obvious: compute recursively Ai(x) = Ai-i{Ai-i(x)) mod 
<p((x)) with A (x) = a(x). Lemma [T] yields A\(x) = x p mod <p(x), A 2 (x) = 
x p mod <p{x)i ■ ■ ■ , A m (x) = x p mod (p(x). Only m = log 2 k < \ogn steps are 
required, hence if we know &{x), we can compute a k (x) in time O (log /c(nlogp) 1+£ ) = 
C((nlogp) 1+£ ). 

Because a k (x) is a root of <p(X) and (p{X) is squarefree, we can now apply 
Proposition[3]in order to lift a k (x) to a k (x) modulo p N in time O ((Nn logp) 1+£ ) . 
For a(x) € Z p [x]/(p(x) we have o~ k (a(x)) — a(a k (x)) mod <p(x), and hence The- 
orem [5] allows us to compute this last expression with precision p N in time 
O {{Nn log p) 1+£ ), thereby proving the proposition. □ 

Corollary 1 Let a € F p n, ct i/ie Frobenius automorphism and < k < n. Then 
we can compute a k (a) in time O ((nlog 2 p) 1+£ ) . 

Proof. With F p n given as ¥ p [x]/<p(x), we have shown above that a k (x) can be 
computed in time O (in log 2 p) 1+£ ) . Now writing a as a(x) gives (T fc (a(i)) = 
a(a k (xj), hence Theorem [2] gives the Corollary. □ 



2.4 Equations with Frobenius 

In this section we merely rephrase results from [I] using faster Frobenius com- 
putations. 

Proposition 6 Let a, j3, 7 £ Z p n mod with j3 = mod p. FFe can com- 
pute £/ie (unique) solution X in Z p n mod 0/ ckt(X) + f3X + 7 = in time 
<D(((N + logp)n\ogp) 1+£ ). 

Proposition 7 Let </>(Y, Z) be a polynomial over Z p n mod p N {or which the 
evaluation o{ 4>, d(j)/dY and d(j>/dZ in any (a,/?) € (Z p n modp^) 2 requires at 
most ip arithmetic operations in Z p n mod p N . Suppose we have xq G Z p n mod 
p w such that </)(xo,o-(xq)) = mod p 2t+1 with k := ord p (§^(xo,o-(xo)). Then 
we can compute X s Z p n mod p N+k such that <fi(X,o~(X)) = mod p N+k and 
X = xq mod p k+1 in time O (((ipN + log p)n logp) 1+£ ) . 

PROOF of Proposition [HJ In Section 12.6.1 of [I], an algorithm by Lercier 
and Lubicz [5] is explained that computes the solution X. Its complexity is de- 
termined by Algorithm 12.18 of [T], which gives O (logn{{N + log p)n log p) 1+e ) 
if we use Proposition [5] above. □ 
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Proof of Proposition [71 Again we recycle an algorithm of [T], namely 
Algorithm 12.23 which computes a generalized Newton lift. Except for O (log N) 
times an evaluation of </>, difi/dY and dcf>/dZ, its complexity it the same as the 
one given in Proposition \E\ above. Hence the total complexity is bounded by 
0(ip\ogN(Nn\ogp) 1+,! + ((A + logp)nlogp) 1+e ). □ 

2.5 Teichmiiller lift 

Proposition 8 Given a G Z p n mod p, we can compute the Teichmiiller lift of 
(a mod p) in time O ((Artlog 2 p) 1+e ). 

Proof. As pointed out in Section 12.8.1 of [T], we can use Proposition [7J for 
the polynomial (f>(Y, Z) = Y p — Z with xq = a and k = 0. Evaluating 0, d(j>/dY 
and d(f>/dZ requires O (logp) elementary operations in Z p » mod p N and we find 
the proposition. □ 

2.6 Minimal polynomial, trace and norm 

Proposition 9 Let a G Z p n mod p N . We can compute the minimal polynomial 
modulo p N of a over Z p in time O ((An logp) 1+e ) . 

Corollary 2 Let a G Z p n mod p N . We can compute the trace Tr(a) and norm 
N(a) over Z p UK>dp N in time O ((Anlogp) 1+e ) . 

A Teichmiiller modulus is the minimal polynomial of a Teichmiiller lift (see 
Section 12.1 of 1 ), or equivalently a divisor of X p — X for appropriate n. 

Corollary 3 Given F p « = ¥ p [x\/ Cp{x), we can compute a Teichmiiller modulus 
F(X) modulo p N which equals (p(X) modulo p in time O ((Anlog 2 p) 1+e ). 

Proof of proposition [HJ We follow an idea of and [TU] as explained in 
Section 3 of [S]. Define the linear operator P : Z p [x]/ip(x) — > Z p by -P(l) := 1 
and P(x) — P(x 2 ) = . . . = P(x n ^ 1 ) = 0. We can compute — using the 
fast modular power projection of Theorem 7.7 in [5] — the sequence -P(l), 
P(a), . . . ,P(a 2 " -1 ) in essentially linear time O ((Anlogp) 1+e ). The minimal 
polynomial c(X) of {P(a l )}i>o equals the minimal polynomial of a modulo p N , 
and Step 2 of Shoup's algorithm refers to the fact that one can obtain this 
minimal polynomial from the (fast) extended Euclidean algorithm for 

2?i-l 

g (X) = Pia^X 2 "- 1 - 1 and f(X) = X 2n . 

Indeed, knowing a Euclidean expansion c(X)g(X) + q(X)f(X) = r(X) for some 
remainder r(X) of degree at most n— 1 and with c(X) of minimal degree, implies 
that c(X) is the minimal polynomial of a. □ 
We note that for computing N(a) a much more elegant algorithm was given 
by Harley, see Section 12.8.5.C in [Tj. Namely, if we write a as a(x), the resultant 
formula N(a) = Hesx((p(X), a(X)) can be computed in the same amount of 
time as in Corollary [21 using a variant of Moenck's extended gcd algorithm [7] . 



5 



References 



[1] H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Langc, K. Nguyen, and F. Ver- 
cauteren, editors. Handbook of elliptic and hyperelliptic curve cryptogra- 
phy. Discrete Mathematics and its Applications (Boca Raton). Chapman 
& Hall/CRC, Boca Raton, FL, 2006. 

[2] J. Gerhard, and J. von zur Gathcn. Modern computer algebra. Cambridge 
University Press, New York, 1999. 

[3] H. Hubrechts. Point counting in families of hyperelliptic curves Foundations 
of Computational Mathematics, 8(1):137-169, 2008. 

[4] H. Hubrechts. Point counting in families of hyperelliptic curves in charac- 
teristic 2 LMS J. Comput. Math., 10:207-234, 2007. 

[5] K. Kedlaya, and C. Umans. Fast polynomial factorization and modular 
composition. Preprint. 

[6] R. Lercier, and D. Lubicz. Counting points on elliptic curves over finite 
fields of small characteristic in quasi quadratic time. Advances in Cryptology 
- Eurocrypt 2003, Lecture Notes in Computer Science 2656, 360-373, 2003. 

[7] R.T. Moenck. Fast computation of GCDs Proceedings of the 5th Annual 
ACM Symposium on the Theory of Computing, 142-151, 1973. 

[8] V. Shoup. Fast construction of irreducible polynomials over finite fields. 
Journal of Symbolic Computation, 17(5):371-391, 1994. 

[9] J. Rifa, and J. Borell. Improving the time complexity of the computation 
of irreducible and primitive polynomials in finite fields. Prod. AAECC-9, 
Lecture Notes in Computer Science 539, 12:352-359, 1991. 

[10] A. Thiong Ly. Note for computing the minimum polynomial of elements 
in large finite fields. Coding Theory and Applications, Lecture Notes in 
Computer Science 388, 185-192, 1989. 

[11] F. Vercauteren. Computing zeta functions of curves over finite fields. Ph.D. 
thesis, Katholieke Universiteit Leuven, 2003. 



6 



